Hidden challenges emerge as data breach notification laws finally hit Australia

Australia’s new mandatory data breach disclosure law is attracting a lot of attention, and a lot of criticism. But it will also have some interesting – and perhaps unintended – consequences.

Most commentary has been about the fact that it will give Australia some of the strictest disclosure rules in the world. That is a good thing to some people and a bad thing to others.

Some critics, such as the recently formed group Data Governance Australia, are still trying to stop the law.

The chief executive of Data Governance Australia, Graeme Samuels, former head of the ACCC, says the legislation is “heavy-handed” and wants instead an industry voluntary code of conduct.

It is almost certainly too late for that.

After a long and tortuous path through Parliament that began five years and three governments ago, the bill has now been introduced to Parliament. It will almost certainly pass, because it has support from both sides of politics.

The legislation places a strong responsibility on public and private sector organisations to ensure they are aware of data breaches, and that they act on them promptly.

It sets the bar lower than many such laws in other jurisdictions. It will mean it is not enough that an organisation makes a disclosure after it discovers a breach. Reading the legislation literally, the disclosure must be made even if the organisation simply believes a breach has occurred.

The bill will have the effect of significantly raising the profile of data security in most organisations. That is a good thing – in the modern world nearly all our information assets are in electronic form, and those assets have significant value.

Unexpected consequences

But the legislation also has the potential to significantly affect planning for a national electronic ID plan, and for any attempts to harmonise state and federal moves in that direction.

The Australian Government’s Digital Transformation Agency – formerly the Digital Transformation Office – has indicated that it wants to introduce a voluntary electronic ID system, perhaps using voice identification technology already adopted by the Australian Taxation Office and Centrelink.

It would be used with the MyGov system, which enables a single sign-on by citizens wishing to deal online with multiple government departments.

But the NSW Government has developed a separate system for Service NSW, which does the same thing for people dealing with separate agencies in that state.

Other states are also considering electronic ID systems. There has been some talk of unifying them all through MyGov, but this is unlikely to happen without uniform privacy and data breach notification in each state.

The new data breach notification legislation covers Australian Government agencies and private organisations with an annual turnover of more than $3 million.
But it does not cover state government agencies, all of which operate under their state’s own privacy laws, none of which include mandatory data breach disclosure.

The fact the states and territories are specifically excluded from the federal legislation makes co-operation on an electronic ID standard problematic.

Section 109 of the Constitution says federal law overrides state law, but the states may not wish to subject themselves to the more onerous reporting requirements of the federal data breach reporting legislation, which could act as a disincentive to any co-operation in this area.

Opportunity for harmony

This is a problem, but it is also an opportunity. It is an opportunity for the states to update and harmonise their privacy laws so that there is a uniform regime operating across the country.

That will ensure all government agencies – federal, state and local – will be able to take advantage of the requirements of the new law to improve the integrity of their systems, and to take advantage of a unified national electronic ID system.

That would have many advantages. A single sign-on for citizens dealing with governments at all levels would greatly facilitate the growth of e-government in Australia, and would mean all government agencies would need to be much more serious around security, and in particular around their ability to monitor, detect, respond and report on data breaches.

Originally, the new mandatory data breach disclosure legislation said that a notification must be made “if an entity is aware, or ought reasonably to be aware, that there are reasonable grounds to believe that there has been a serious data breach of the entity, the entity must, as soon as practicable after the entity becomes so aware, or ought reasonably to have become so aware, as the case may be”.

It stated that an organisation cannot claim it did not know a breach had occurred. It cannot be wilfully blind to breaches, and it cannot claim plausible deniability around security incidents.

It also means that breaches need to be properly investigated, and in a timely manner – you have a 30-day limit to conduct your investigation.

Reports since the draft bill was developed have stated that the government is considering changing the language to remove the requirement for notification if an organisation “ought to have been aware”, however, we are yet to see these changes take place.

Important change

Data breaches are not good for public trust and they are not good for people whose personal details are compromised. The bill marks an important change, because it says essentially that if a data breach occurs there are no mitigating circumstances.

Organisations will need to properly determine the amount of harm the breach causes.

It is clear that the intent behind the terminology in the legislation is to make it an imperative for organisations, in the private and public sectors, to step up their cyber security capabilities.

Over the last few years we have seen a large number of highly publicised data breaches, with substantial evidence that many organisations did not have effective process or procedures, or the right people, to prevent the breaches, remediate them, or to properly inform affected parties.

The new legislation is intended to ensure there is much less chance of that happening in Australia in the future.

All organisations will have to take cyber security more seriously, and be more proactive in improving their monitoring, detection and reporting.

By: Leonard Kleinman – Leonard Klienman is chief cyber security adviser, Asia Pacific and Japan, for security company RSA.

Posted On: http://www.afr.com/technology/web/security/hidden-challenges-emerge-as-data-breach-notification-laws-finally-hit-australia-20161125-gsxnri


Brisbane Hosting & Website Hosting’s products and services include Website Hosting, Domain Names, DNS Services, Website Development, Website Design, Website Revamps, Website Maintenance, Social Media Campaigns and more.

Contact Brisbane Hosting on (07) 3889 2977 or via email info@brisbanehosting.com.au for further information and quote today.

Here’s How to Keep Your Computer Safe and Secure

I’m sure you’re aware there are hackers and viruses out there looking to wreak havoc and steal your hard-earned money, sensitive data and personal identity. But please don’t let this scare you away from using computers and technology.

Arming yourself with some knowledge and putting some proactive and defensive tools in place can go a long way. So here I share a few ways you can keep your computer safer and more secure.

Don’t call any phone number your computer tells you to.

A common method scammers use to reel you in is to display fake virus alerts on your computer and say you need to call in order to get your computer cleaned, or you need to download or buy some software that can fix it. These are completely false. I know these scammers are good at sounding convincing, but don’t listen to them.

Ignore phone calls out of the blue about your computer.

Another method scammers use to reel in victims is to cold call random people, say they have computer problems, and offer help or point you to someone who can help. Don’t trust anyone who calls out of the blue about your computer, even if they say they’re from Microsoft or some other big organisation. Legitimate companies don’t cold call people like that.

Be cautious of remote computer support.

Not all remote computer support companies are out to steal your money or data, or infect you with viruses, but they may not have qualified technicians either. Even if you don’t think they’re scamming you, ask yourself why you trust them with your computer. Perhaps find a local computer support company with good reviews that you can also see face to face and learn to trust.

Use good antivirus and anti-malware.

Although no one single antivirus or anti-malware program can catch or fix all the viruses and malware out there, you should still use one that’s proven to be good. I suggest Bitdefender Internet Security (www.bitdefender.com) and Malwarebytes Antimalware (www.malwarebytes.com).

Don’t use unsolicited cleaners or boosters.

There are many PC cleaners and boosters out there, but many don’t help that much, and especially aren’t worth paying for. If you have these types of programs on your computer and you don’t remember installing them, I suggest not using them unless you’re certain they’re legitimate. If you’d like to check out a legitimate cleaner, try the free edition of Glary Utilities (www.glarysoft.com) or CCleaner (www.piriform.com).

Back up your important documents and photos.

Just in case your computer becomes infected or it crashes, I suggest backing up anything you don’t want to lose. Though we can sometimes recover files after an incident, sometimes it’s just not possible or feasible. Backing up to an external hard drive or flash drive is a start, but you might want to consider paying for online backup, like CrashPlan (www.crashplan.com), so your data is safe even if there’s a fire or other physical disaster.

Use content filtering if you have children around.

The internet has tons of useful information and then has tons of worthless information and inappropriate content as well. Children can even stumble upon this when they aren’t looking for it, so it’s a big idea to be proactive. Though content filtering can’t block all inappropriate content, it can certainly help. I suggest using OpenDNS (www.opendns.com) along with adult supervision.

Eric Geier is the owner of On Spot Techs, which provides on-site computer repair and IT services at homes and businesses in the Dayton area. This article first appeared in The Dayton Daily News.

The New York Times

By: Eric Geier

Posted on: http://www.afr.com/technology/web/security/heres-how-to-keep-your-computer-safe-and-secure-20160927-grpxp9


Brisbane Hosting & Website Hosting’s products and services include Website Hosting, Domain Names, DNS Services, Website Development, Website Design, Website Revamps, Website Maintenance, Social Media Campaigns and more.

Contact Brisbane Hosting on (07) 3889 2977 or via email info@brisbanehosting.com.au for further information and quote today.

ASX and ASIC Launch Big Company Cyber Health Checks for Top 100 Firms

The ASX and the corporate regulator have launched a new initiative to improve the cyber security defences of Australia’s biggest companies, urging the exchange’s top 100 firms to have a Cyber Health Check.

The program forms part of the federal government’s cyber security strategy that was launched earlier this year and it has been developed alongside professional services firms KPMG, Deloitte, EY and PwC and CERT Australia and has been based on a similar initiative in the UK with the FTSE 350.

ASX group executive Amanda Harkness said the sharing of best practice approaches was critical to businesses.

“Increased awareness and engagement by directors of listed companies are important steps in building the cyber resilience of Australian businesses,” she said.

“The better informed boards become, the more effectively they can assess their cyber security risks and opportunities, identifying areas where improvement is required.”

The initiative comes as the government has introduced a bill to bring in the long-awaited mandatory data breach notification rules, which will mean companies that have been breached or have lost data will need to report the incident as well as notify customers that have been directly impacted.

If a company fails to do this, they will face fines of up to $1.8 million for organisations and $360,000 for individuals, but the laws only apply to companies turning over $3 million or more.

Ms Harkness said participation in the program would assure shareholders of the top 100 companies that cyber security was a board priority.

“We encourage Australia’s largest listed companies to play their part,” she said.

Participants in the health check program will respond to a series of multiple choice questions such as what risk factors apply to their company, if they have a clear understanding of their company’s data assets and key information, and if they receive high level intelligence from the chief information officer or head of security.

They will also be asked if the company engages external parties to perform penetration testing, if they use public cloud servers and how significant a risk cyber security is in their opinion.

Cyber security breaches have been estimated to cost local businesses $1 billion a year

Late last month the Australian Red Cross Blood Service was forced to apologise after the details of 550,000 blood donors was leaked online.

In August it was also revealed that Austrade and the Defence Department’s research division, the Defence Science Technology Group, had been attacked numerous times in the past five years by cyber criminals based in China.

By: Yolanda Redrup

Posted on: http://www.afr.com/technology/web/security/asx-and-asic-launch-big-company–cyber-health-checks-for-top-100-firms-20161109-gsl77l#ixzz4PTjMSjL4

Brisbane Hosting & Website Hosting’s products and services include Website Hosting, Domain Names, DNS Services, Website Development, Website Design, Website Revamps, Website Maintenance, Social Media Campaigns and more.

Contact Brisbane Hosting on (07) 3889 2977 or via email info@brisbanehosting.com.au for further information and quote today.

Cyber safety start-up Family Zone launches $10 million IPO

Cyber safety business Family Zone, which allows parents to monitor and restrict their children’s internet browsing, will pursue an initial public offering to raise up to $5.5 million to ramp up its sales and marketing.

The company, which has developed a cloud-based control system that works across multiple internet-connected devices, will be valued at about $10 million when it lists in August.

In the last financial year, the business recorded only about $10,000 in product sales, but its product officially launched in March this year and has already locked in a number of major contracts with device manufacturers and telecommunication firms in the US and Asia.

Managing director Tim Levy, who is also the founder of Mo’s Mobiles, was inspired to start the business after his experiences with his own children.

“I had a couple of incidents at home with young kids that got me thinking about cyber safety technologies, and I found that it was really hard to implement protections that were sensible and workable,” he said.

“I was fighting with the kids about what they were accessing … the kids were getting addicted and staying up at night with the iPad under the doona, and then some of the content they were seeing, even on YouTube, was unacceptable.”

ASX mulls tighter listing rules

The Family Zone listing comes as the ASX is considering tightening the listing rules, effectively stopping very early stage companies from listing.

The consultation period on the changes ended late last month, but the exchange is yet to announce a decision on the proposed changes.

Under the changes companies would need to have either $5 million in net tangible assets, a market capitalisation of $20 million or profits of $500,000 in the past year to qualify for the exchange.

The ASX has previously indicated that if the rules were approved, it would try to implement them by September. Family Zone would not meet the market capitalisation test or the profits test, but would still be able to list if it has more than $5 million in tangible assets.

The Family Zone product works with all devices connected to a home network, including mobile devices via an app.

Mr Levy is also targeting third-party access providers such as telecommunications firms and device manufacturers, which will be able to run the software and offer it as a service to customers.

The company has locked in deals with a device manufacturer in southern California, which sells its products throughout the US and Europe, and a company that provides internet to college buildings in Texas and a telecommunications business in South East Asia.

“A key part of the commercialisation strategy is working with partners such as ISPs [internet service providers] and mobile carriers to allow them to quickly resell the Family Zone,” Mr Levy said.

The company expects to start seeing results from the Asian carrier deal in this half of the new financial year. In the next 12 months it will also be focusing on building its sales in Australia and establishing a physical presence in the US state of Texas.

Family Zone has recently appointed tech veteran John Sims as chairman. Mr Sims was previously Groupon’s software engineering head and has also served as BlackBerry’s global sales president.

By: Yolanda Redrup
Posted on: http://www.afr.com/technology/web/security/cyber-safety-startup-family-zone-launches-10-million-ipo-20160711-gq3nkr#ixzz4EFL80mCf


Brisbane Hosting & Website Hosting’s products and services include Website Hosting, Domain Names, DNS Services, Website Development, Website Design, Website Revamps, Website Maintenance, Social Media Campaigns and more.

Contact Brisbane Hosting on (07) 3889 2977 or via email info@brisbanehosting.com.au for further information and quote today.